A staff member at Lexington VA Medical Center, KY took home patient files, slides and other patient data on his laptop computer without authorization. This laptop contained information about 1900 VA patients including their names, last four digits of their social security numbers, date of birth and diagnosis. This information was stolen by one employee. The motive was unknown although the hospital did not think that the information was used maliciously.
When protected information such as patient names, social security numbers and date of birth are stolen there are a number of ways in which they can be used maliciously. Some people have used this information to fraudulently bill the government for services that were not rendered.
Security breaches are very common. Most of these breaches happen because of:
- Human error
- Poor judgment
- Lack of information or
- Malicious intentions of an employees
In fact an article documenting a number of breaches in a 6 month period confirms the above. Prevention of further breaches should be targeted at reducing these factors.
Human error such as forgetting laptops in public place can be prevented by enhanced security measures such as securing data on laptops, geo-location, remote wipe capabilities and storing data on the cloud. Employees should not be allowed to take laptops containing sensitive data outside the hospital premises unless absolutely necessary.
An example of poor judgment is not logging out of computer or EMR after finishing work. These should be targeted by education, auto-logoffs and other measures.
Lack of information needs to be remedied by continuing education. Merely teaching employees about the law will not be beneficial. Real world examples should be used to ensure understanding of the law. Prior security breaches and how to prevent those should be discussed with employees every year.
There will always be employees who are unhappy and/or have malicious intentions who will steal sensitive data if given a chance. Employees should only be allowed to access the minimum information they need to get work done. Software should have strong tracking capabilities to track irregular access to protected health information. Any accounts deemed to have irregular activity should be suspended at once and investigated. Employees should not be permitted to download patient data on personal devices such as USB drives, CD’s or other similar media.
There are a variety of other ways in which security breaches can occur but I believe that the above four are the most important. With increasing use of computers in medicine, new forms of breaches will be discovered and will need to be addressed with time.